Il blog di Gas

Solo un altro sito WordPress

Fail2ban and postfix sasl

with 2 comments

Today I found the usual chinese trying to get in my smtp to send his spam to the world and I realized that fail2ban wasn’t working because the regexp used to match the offender is wrong.

This is the log entry (/var/log/mail)
Aug 21 22:45:30 myserver postfix/smtpd[12071]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure

and this is the regex that work , just remove the part after “authentication failed” (/etc/fail2ban/filter.d/sasl.conf)

failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

Test it:
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf

if you are on a slow server or on a big mail server use /var/log/mail.err instead

Written by gas

agosto 21st, 2010 at 11:18 pm

Posted in English,Linux

Tagged with ,

«
»

2 Responses to 'Fail2ban and postfix sasl'

Subscribe to comments with RSS or TrackBack to 'Fail2ban and postfix sasl'.

  1. above regexp not work form me I use on Debian Lenny with Fail2Ban v0.8.3:

    failregex = : warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

    Ivan Galabov

    15 nov 10 at 11:55

  2. Hi gas,

    thanks for writing this short article. Although it’s not complicated it takes some time to get into the fail2ban mechanisms and discover the mistake without hints.

    Has just helped me stopping a Postfix+SASL attack coming from US Comcast. Thanks in advance.

    Daniel from Germany

    29 mar 11 at 18:32

Leave a Reply